b"AMTRAK CORPORATE GOVERNANCE:\nImplementing a Risk Management Framework is Essential to\nAchieving Amtrak\xe2\x80\x99s Strategic Goals\n\n\n\n\n                            Report No. OIG-A-2012-007 | March 30, 2012\n\x0c      NATIONAL RAILROAD\n      PASSENGER CORPORATION\n                                                The Inspector General\n\n\nMemorandum\n\nTo:           Thomas C. Carper, Chairman, Board of Directors\n              Joseph Boardman, President and CEO\n\n\n\nFrom:         Ted Alves\n\nDate:         March 30, 2012\n\nSubject:      Amtrak Corporate Governance: Implementing a Risk Management Framework is\n              Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals (Report No. OIG-A-2012-007)\n\nBoth federal agencies and publicly traded companies have established processes to\nmanage risk in order to help achieve their strategic goals and objectives. Amtrak\xe2\x80\x99s\nBoard of Directors plays a key role in ensuring that the company accomplishes its stated\ngoals in an efficient and effective manner. With the addition of three Board members\nsince June 2010, the Board now has greater capacity to fulfill its governance\nresponsibilities for Amtrak programs and operations. To better understand the\ncompany\xe2\x80\x99s approach to managing risk, the Board asked that we audit Amtrak\xe2\x80\x99s risk\nmanagement process. This report provides the results of that audit.\n\nRisk management provides a mechanism to identify and deal with any risk, but focuses\non risks that could prevent a company from reaching its objectives. The enterprise risk\nmanagement (ERM) 1 framework is widely used and generally regarded as a best\npractice model that organizations can use to deal effectively with potential future events\nthat can adversely affect company operations, and to ensure that business processes and\n\n\n\n1The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published Enterprise\nRisk Management\xe2\x80\x94Integrated Framework in September 2004.\n\x0c                                                                                           2\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\ninternal controls are operating effectively and efficiently. The key milestones in\ndeveloping the current model of an ERM framework are summarized below.\n\nIn 1992, the Committee of Sponsoring Organizations of the Treadway Commission\n(COSO) published a document entitled \xe2\x80\x9cInternal Control\xe2\x80\x94Integrated Framework.\xe2\x80\x9d This\ndocument provided a framework for establishing a system of internal controls and\nprovided evaluation tools that businesses and other entities could use to evaluate their\ncontrol systems. The internal control framework consists of five interrelated\ncomponents: control environment, risk assessment, control activities,\ninformation/communication, and monitoring.\n\nThis 1992 internal control framework was a precursor to COSO\xe2\x80\x99s 2004 Enterprise Risk\nManagement\xe2\x80\x94Integrated Framework, a roadmap to provide companies with a\nmethodology for managing risks as well as taking advantage of opportunities to grow\ntheir businesses. That model consists of eight interrelated components: (1) the internal\nenvironment, (2) objective setting, (3) event identification, (4) risk assessment, (5) risk\nresponse, (6) control activities, (7) information and communication, and (8) monitoring.\n\nOur objectives were to (1) determine the extent to which Amtrak manages risk in a\ncorporate-wide, systematic manner; and (2) identify risk management best practices in\npublic and private organizations and compare those with Amtrak\xe2\x80\x99s risk management\nactivities. We used the COSO framework as a best practice to help us accomplish our\nobjectives. For a detailed discussion of our audit scope and methodology, see\nAppendix I.\n\n\n\nSUMMARY OF RESULTS\nAmtrak currently does not have a formal, coordinated, and systematic enterprise-wide\nframework for identifying, analyzing, and managing risk. As our work progressed it\nbecame clear that Amtrak managers and executives do identify and mitigate risks.\nHowever, these efforts are often ad-hoc and narrowly focused on operational or\ncompliance risks within individual departments. For example, Amtrak senior managers\nidentify risks within their units based on their experience and knowledge of operations,\nand establish controls to address these risks within their units. However, because the\ncompany has not established a risk management process, these risks were not identified\n\x0c                                                                                                    3\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nusing a formal organization-wide methodology. In addition, because Amtrak did not\nhave a comprehensive risk management process, risk mitigation efforts may not be\nadequate to address root causes, and the Chief Executive Officer (CEO) and Board may\nnot be informed of the risk and mitigation plans.\n\nIn discussing the results of our work with Amtrak senior executives, they agreed with\nthe need to improve their risk management practices. The company then took initial\nsteps toward addressing this issue by committing\xe2\x80\x94in the October 1, 2011, Strategic\nPlan\xe2\x80\x94to establish an ERM framework that is based on industry best practices. This is an\nimportant first step and shows a proactive approach on the company\xe2\x80\x99s part.\n\nRecognizing this commitment, we focused on identifying best practices that could be\nadopted by the company. Our audit work noted that one of the keys to success for some\norganizations was to build a comprehensive ERM process using incremental steps,\nrather than starting with enterprise-wide effort. Given the ad-hoc nature of Amtrak\xe2\x80\x99s\ncurrent risk management practices and control activities, it appears that an incremental\napproach could provide the greatest likelihood for implementation success. Further,\nfocusing that approach on the ongoing implementation of a selected goal within the\nStrategic Plan could be a logical start to the implementation of an ERM framework.\n\nBased on our judgment, together with input from Amtrak\xe2\x80\x99s senior executives, we\nbelieve that Amtrak should begin the ERM process by applying its principles to Goal 5\nof the Strategic Plan\xe2\x80\x94Financial and Organizational Excellence. This goal has three key\nadvantages as a starting point for implementing an ERM framework:\n\n\xe2\x80\xa2   The goal relates to the entire organization and therefore would introduce and apply\n    the ERM framework Amtrak-wide. This is a significant step that would help lay the\n    foundation for broader implementation of the ERM framework over time.\n\n\xe2\x80\xa2   The goal addresses financial performance and overall business results. These are key\n    areas at the heart of what an ERM framework is designed to help a company\n    achieve. Further, improvements in these areas link directly to the overall goals of the\n    Passenger Rail Investment and Improvement Act of 2008. 2 To the extent that ERM\n\n\n2The Passenger Rail Investment and Improvement Act authorized nearly $10 billion for Fiscal Years\n2009\xe2\x80\x932013 for Amtrak\xe2\x80\x99s operating costs and capital investments, including actions to help Amtrak\nimprove financial management, operate more efficiently, and improve services on existing routes.\n\x0c                                                                                             4\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n    helps achieve this strategic goal, it would also help achieve the act\xe2\x80\x99s goal of making\n    Amtrak less dependent on federal subsidies.\n\n\xe2\x80\xa2   Amtrak has weaknesses in its business processes and internal controls. Focusing on\n    Goal 5 will result in an in-depth analysis of financial and operational controls with\n    the objective of ensuring that they effectively and efficiently support improved\n    business processes and financial performance.\n\nWe recommend that the Board of Directors and the President and CEO take the\nfollowing actions:\n\n1. In the long term, develop and implement an ERM process for the entire organization\n   to include the Board of Directors, which is consistent with the COSO framework.\n2. In the near term, using an incremental approach, develop and implement an ERM\n   process, to include the Board of Directors, that focuses on Goal 5 of the Amtrak\n   Strategic Plan\xe2\x80\x94Financial and Organizational Excellence.\n\nIn commenting on a draft of this report, the Chairman of the Board of Directors and the\nPresident and CEO stated that it is imperative that the Board discuss our\nrecommendations with an answer to the time, resources, and priority needed to make a\ncommitment. Once the Board has had an opportunity to understand the commitment\nthis will take, guidance will be provided to management, and the company will provide\nthe Office of the Inspector General with more detailed information about Amtrak\xe2\x80\x99s plan\nto implement ERM. The full response to our draft report can be found in Appendix IV.\n\nThe company\xe2\x80\x99s response is consistent with the intent of our recommendations and\nreflects the incremental approach we are recommending to address the ERM issue. We\nwill periodically follow up on the Company\xe2\x80\x99s implementation efforts.\n\n\nAMTRAK\xe2\x80\x99S PRESENT APPROACH TO MANAGING RISK IS\nAD-HOC, BUT IT HAS COMMITTED TO A FORMAL PROCESS\nAmtrak does not currently have a formal, coordinated, systematic, enterprise-wide\nframework for identifying, analyzing, and managing risks. Amtrak does have some risk\nmanagement activities in place, however these activities are often on an ad-hoc basis,\nand are narrowly focused on operational or compliance risks within a single operating\n\x0c                                                                                                     5\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nunit. In addition, because Amtrak does not have a comprehensive risk management\nprocess, risk mitigation actions may not be adequate to address root causes, and the\nCEO and Board may not be informed of the risk and mitigation plans. 3\n\nIn discussing our observations with Amtrak senior executives, they acknowledged the\nneed to improve their risk management practices. Amtrak\xe2\x80\x99s October 2011 Strategic Plan\ntook initial steps toward that goal by committing to establishing an enterprise risk\nmanagement framework based on industry best practices. This is an important first step\nand shows a proactive approach on the company\xe2\x80\x99s part to address this issue.\n\nAmtrak\xe2\x80\x99s Current Risk Activities Yield Some Risk Mitigation Results\nWhile Amtrak did apply certain aspects of the risk management components, this was\ndone in an ad-hoc manner, without any company-wide policy or process to provide\nguidance and consistency. Figure 1 illustrates the stovepiped nature of Amtrak\xe2\x80\x99s\ncurrent risk management process\xe2\x80\x94that is, each unit addresses risk, for the most part,\nwithin that unit alone and not across the organization.\n\n\n\n\n3 There are no statutory or legal requirements for the vast majority of private companies, including\nAmtrak, to implement ERM or, for instance, to form risk committees under the Board of Directors. The\ncorporate environment outside of Amtrak has seen the emergence of a few laws or regulations that have\nERM mandates or characteristics for some publicly traded corporations. See, for example, the Dodd-\nFrank Wall Street Reform and Consumer Protection Act (Pub. L. 111-203 2010); the Sarbanes-Oxley Act of\n2002 (Pub. L. 107-204); and the Securities and Exchange Commission Release 33-9089 (Feb. 28, 2010) and\nItem 407 of Regulation S-K, 17 CFR 229.400.\n\x0c                                                                                                   6\n                            Amtrak Office of Inspector General\n       Amtrak Corporate Governance: Implementing a Risk Management Framework\n                   is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                       Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n                      Figure 1. Amtrak\xe2\x80\x99s Traditional, Stovepiped\n                             Risk Management Approach\n\n\n\n\nSource: Amtrak Office of Inspector General (OIG)\n\n\n\nAs discussed below, we analyzed the risk management processes in Amtrak\norganizational units as they relate to four COSO ERM components\xe2\x80\x94risk identification,\nobjective setting, risk response, and control activities. Amtrak\xe2\x80\x99s current risk\nmanagement practices do not reflect an entity-wide management of risk, yet they do\nresult in actions that mitigate certain risks and provide a good starting point for\nestablishing a more comprehensive risk management program.\n\nSpecifically:\nRisk Identification Component.              Currently, risk identification is performed on an ad-\n                                            hoc basis and is limited because risk is identified on a\nRisk Identification - According to          unit-by-unit basis and not across the entire\nCOSO, the risk identification               organization. Each of Amtrak\xe2\x80\x99s organizational senior\ncomponent involves the                      managers provided us with a list of risks they have\nidentification of potential events\naffecting achievement of an\norganization\xe2\x80\x99s strategic objectives.\n\x0c                                                                                           7\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nidentified from their day-to-day operations; for example:\n\n\xe2\x80\xa2   Information technology (IT) systems and processes are not fully documented to ensure\n    that they are working properly (IT)\n\xe2\x80\xa2   Losses occur due to employee theft (Transportation)\n\xe2\x80\xa2   Expertise could be lost due to a substantial number of retirements (Engineering,\n    Transportation, Human Resources, Policy and Development, and Chief Financial\n    Officer)\n\xe2\x80\xa2   Performance of adequate maintenance is hindered due to obsolete material and\n    technology (Mechanical)\n\xe2\x80\xa2   Customer expectations may not be met due to difficulties in upgrading current\n    equipment while minimizing costs (Mechanical)\n\xe2\x80\xa2   Terrorism and criminal acts may be directed toward Amtrak passengers, employees,\n    and property (Amtrak Police Department, Finance)\n\xe2\x80\xa2   Individual departments may be addressing the same risks independently, raising the\n    concern that more funds than necessary will be spent to address the same problem\n    (Chief Financial Officer)\n\xe2\x80\xa2   Amtrak may not be maximizing its revenue through management of its ridership\n    capacity by adjusting pricing in response to market demand (Marketing)\n\n\n                                                  Objective Setting Component. Amtrak issued\n  Objectives-Setting\xe2\x80\x94Strategic objectives are     a new Strategic Plan in October 2011. The\n  high-level goals that are aligned with the      plan is a good step forward given that\n  organization\xe2\x80\x99s mission; they should establish a Amtrak did not have one for years and was\n  basis for operational effectiveness, reliable\n                                                  slow to respond to recommendations to\n  financial reporting, and compliance with laws\n                                                  develop one. The plan contains\n  and regulations. To add assurance that a\n                                                  organization-wide objectives and is\n  company will achieve its strategic objectives,\n  management should identify risks and consider   intended to provide a compass by which\n  their implications.                             all business decisions will be made. It\n                                                  contains a vision statement, corporate\ngoals, performance targets, and proposed strategic activities. In addition, the plan\nincludes seven corporate strategies that align with one or more corporate goals.\n\x0c                                                                                             8\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nThe Strategic Plan further identifies potential risks categorized as internal and external\nfactors that may have a negative impact on future performance and prevent the\ncompany from reaching its goals. The plan also links strategies to goals, but it does not\nlink the strategies to risks, nor does it describe how these risks could affect the\nachievement of the objectives or the manner in which Amtrak plans to mitigate them.\nLinking risks to strategic objectives helps identify and prioritize the most important\nrisks that could prevent the achievement of those objectives.\n\nFor example, one of Amtrak\xe2\x80\x99s corporate strategies is to identify and invest in systems\nand technologies that will simultaneously reduce energy usage and operating expenses.\nThis strategy aligns with two goals, financial and organizational excellence and environment\nand energy. Performance against this strategy includes measurements of a reduction in\ntotal diesel fuel consumption per seat mile, a reduction in locomotive electric\nconsumption, and a reduction in station electrical use. In a memorandum transmitting\nthe Strategic Plan, Amtrak\xe2\x80\x99s President and CEO stated that the company plans to\ndevelop tactical plans to guide its business units. However, it lacks a formal process to\nidentify, discuss, or describe actions to address and manage the internal or external\nfactors (risks) that may have a negative impact on Amtrak\xe2\x80\x99s ability to achieve its\nobjectives.\n\n                                                  Risk Response Component. Amtrak\xe2\x80\x98s\n Risk Response - According to the COSO            operational units have developed risk\n framework, responding to risks on an             responses in several areas that Amtrak can\n organization-wide basis ensures that             build on as it begins to develop and\n appropriate safeguards are put in place to       implement a risk management framework.\n mitigate problems that could negatively affect\n                                                  While some organizational units have\n the company either financially or\n                                                  developed risk responses to individual\n operationally. Once risks have been\n identified, management must determine the\n                                                  risks, Amtrak has not addressed the\n courses of action the organization should take   implications of these risks on an\n to address them. Management\xe2\x80\x99s risk               organization-wide basis. For example, some\n responses can be grouped into four categories-   of the risks identified by Amtrak senior\n - avoidance, reduction, sharing, and             executives included the following:\n acceptance.\n                                           \xe2\x80\xa2     IT systems and procedures are not\n    fully documented to ensure that they are working properly.\n\xe2\x80\xa2   Expertise could be lost due to a substantial number of retirements.\n\x0c                                                                                            9\n                             Amtrak Office of Inspector General\n        Amtrak Corporate Governance: Implementing a Risk Management Framework\n                    is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                        Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\xe2\x80\xa2     Performance of adequate maintenance is hindered due to obsolete material and\n      technology.\n\xe2\x80\xa2     Customer expectations may not be met due to difficulties in upgrading current\n      equipment while minimizing costs.\n\nHowever, while the risks were identified by each unit, they were not assessed\ncollectively by the senior executives to consider such issues as their relative priority,\nadequacy of mitigation plans, and whether sufficient resources were being applied to\naddress them. Further, they were not presented at the Board level in a structured\nmanner so the Board could make its assessment of risk, mitigation plans, and resource\nadequacy. This leaves the company vulnerable to identified risks not being adequately\naddressed or other risks not being identified.\n\n                                      Control Activities Component. Some units within\n    Control Activities - According to the\n                                      Amtrak have control activities to address risks\n    COSO framework, control activities are\n                                      that the units have identified. Amtrak in general\n    the policies and procedures that\n                                      lacks an organization-wide system of internal\n    implement management\xe2\x80\x99s decisions on\n                                      controls that provides reasonable assurance that\n    what actions to take to mitigate risks and\n                                      the operations are being carried out in an\n    help to assure the effectiveness and\n                                      effective and efficient manner. The examples\n    efficiency of operations, reliability of\n                                      below demonstrate that, currently, some risks\n    financial reporting, and compliance with\n                                      are addressed within operational units but not\n    applicable laws and regulations. Control\n    activities are similar to internal controls.\n                                      on an organization-wide basis. These examples\n                                      of control activities implemented by Amtrak\noperating departments and offices are based on their initiative or in response to our\nprior audit or review recommendations.\n\n\xe2\x80\xa2     The Environmental Health and Safety Department conducts audits to monitor its\n      performance against its regulatory requirements and internal policies, and to\n      address any deficiencies. These audits are part of Amtrak\xe2\x80\x99s primary processes for\n      monitoring and measuring environmental performance and reporting the status to\n      specific Amtrak stakeholders.\n\n\xe2\x80\xa2     Amtrak\xe2\x80\x99s Transportation Department has taken action to improve the economy,\n      efficiency, and internal controls of on-board food and beverage service. For\n      example, Amtrak has established a centralized system to help automate the\n\x0c                                                                                                   10\n                              Amtrak Office of Inspector General\n         Amtrak Corporate Governance: Implementing a Risk Management Framework\n                     is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                         Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n        collection of revenue shortages, restructured staffing for dining cars to reduce labor\n        costs, introduced seat-cart service for selected high-traffic routes to improve cost\n        recovery, and introduced on-board electronic credit card technology to increase\n        sales.\n\n    \xe2\x80\xa2   Treasury Risk Management within the Finance Department reviews contracts with\n        other organizations to ensure that Amtrak assumes the minimum amount of risk\n        possible. The unit also assesses the potential liability for risks for which Amtrak\n        decides to self-insure, such as property or personal injury damages.\n\n    \xe2\x80\xa2   The Office of General Counsel provides advice to other Amtrak units to ensure that\n        these units are in compliance with various laws and regulations. The primary\n        purpose of these efforts is to protect Amtrak from the financial consequences of\n        noncompliance with laws and regulations.\nOn the other hand, as some of our recent reports have shown, significant gaps exist in\nAmtrak\xe2\x80\x99s controls. For example, we reported that:\n\n    \xe2\x80\xa2   Control weaknesses existed in human resources management related to planning\n        for future needs, hiring and retaining staff, and the IT systems used to support\n        human resources. Further, many of the recommendations made in previous reports\n        had not been implemented. Amtrak\xe2\x80\x99s not identifying human capital as a risk and\n        placing appropriate emphasis on it could result in the lack of requisite knowledge,\n        skills, and experience among the company\xe2\x80\x99s key personnel that may threaten\n        effective operation of the business. Amtrak management responded that it would\n        reemphasize its commitment to addressing our findings and that the Chief Human\n        Capital Officer would analyze our report and develop an action plan for addressing\n        the open recommendations. 4\n\n    \xe2\x80\xa2   Amtrak had longstanding weaknesses in controls, processes, and resources for\n        reviewing invoices for on-time-performance payments, resulting in overpayments\n        of $37 million to host railroads. Amtrak\xe2\x80\x99s lack of an adequate process to verify the\n\n\n4Amtrak OIG reports Human Capital Management (OIG Report No. E-09-03, May 15, 2009) and Human\nCapital Management: Lack of Priority Has Slowed OIG-Recommended Actions to Improve Human Capital\nManagement, Training, and Employee Development Practices (OIG Report No. E-11-04, July 8, 2011).\n\x0c                                                                                                        11\n                              Amtrak Office of Inspector General\n         Amtrak Corporate Governance: Implementing a Risk Management Framework\n                     is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                         Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n        accuracy of payments made to host railroads creates the risk that assets (cash) are\n        not being safeguarded, and that profits are not being achieved. Amtrak agreed and\n        is taking action to apply additional resources and establish a process to thoroughly\n        review invoices for on-time-performance incentives and other costs before making\n        payments. 5\n\n    \xe2\x80\xa2   Amtrak provides food and beverage service on board most of its trains. But long-\n        standing internal control weaknesses and gaps continue to make on-board food and\n        beverage revenues and inventories vulnerable to fraud, waste, and abuse. We\n        estimated that $4 million to $7 million of Amtrak\xe2\x80\x99s food and beverage sales could\n        be at risk of theft unless these control risks are effectively mitigated. Amtrak\n        management agreed with our recommendations and outlined an implementation\n        plan to address these internal control weaknesses. 6\n\n    \xe2\x80\xa2   Amtrak did not meet the requirement to make all stations accessible to persons\n        with disabilities by July 26, 2010. It is important that Amtrak address the Americans\n        with Disabilities Act (ADA) organizational deficiencies because they increase the\n        risk that funds will not be used efficiently and effectively and that Amtrak will not\n        meet its goal of being ADA-compliant by September 30, 2015. In addition, Amtrak's\n        current and ongoing lack of ADA compliance creates a potentially significant\n        financial liability risk resulting from legal judgments for not being ADA-compliant\n        and detracts from its strategic goals of improving safety and customer service for\n        all of its passengers. Amtrak management agreed with our recommendations to\n        develop a detailed spending plan to support the Fiscal Year 2012 ADA budget\n        request, and provide Congress with an order-of-magnitude cost estimate for\n        completing all ADA programs by September 30, 2015. 7\n\n\n\n5 Amtrak OIG reports BNSF On-Time Performance Incentives: Inaccurate Invoices and Lack of Amtrak\nManagement Review Lead to Overpayments (OIG Audit Report No. 407-2003, September 24, 2010), On-Time-\nPerformance Incentives: Inaccurate Invoices Were Paid Due to Long-standing Weaknesses in Amtrak\xe2\x80\x99s Invoice-\nReview Process (OIG Audit Report No. 403-2010, April 21, 2011), and Amtrak Invoice-Review: Inaccurate\nInvoices Were Paid, But Progress is Being Made to Improve the Invoice-Review Process (OIG Report No. OIG-A-\n2012-005, February 16, 2012).\n6 Food and Beverage Service: Further Actions Needed to Address Revenue Losses Due to Control Weaknesses and\n\nGaps (OIG Report No. E-11-03, June 23, 2011).\n7 Americans with Disabilities Act: Leadership Needed to Help Ensure That Stations Served by Amtrak Are\n\x0c                                                                                                        12\n                            Amtrak Office of Inspector General\n       Amtrak Corporate Governance: Implementing a Risk Management Framework\n                   is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                       Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\nAmtrak Is Committed to Developing a Risk Management Framework\nAmtrak\xe2\x80\x99s October 2011 Strategic Plan cited the need to develop a systematic enterprise-\nwide risk management process. Specifically, the Strategic Plan noted:\n\n      Several challenges to Amtrak\xe2\x80\x99s success have been identified in this strategic plan.\n      These enterprise risks require management attention, planning and remediation as\n      set forth in this plan and elsewhere. To do so, Amtrak will establish an enterprise\n      risk management framework that is based on industry best practices. This\n      framework will be used to routinely assess the corporation and all business lines\n      while developing a system of control.\n\n\nBEST PRACTICE APPROACH FOR IMPLEMENTING ERM AT\nAMTRAK\nRecognizing that the company has committed to implementing an effective risk\nmanagement process, we shifted the focus of our work to identifying best practices that\nAmtrak could adopt. (See Appendix II for a description of best practices and Appendix\nIII for additional sources of ERM information.) There are various ways to implement an\nERM program, ranging from a corporate-wide approach to one of more limited scope,\nsuch as focusing on specific risks. A COSO thought paper 8 described how an\norganization can start to move from informal risk management to ERM. One of the keys\nto success identified by COSO was building ERM in incremental steps. Given the ad-\nhoc nature of Amtrak\xe2\x80\x99s current risk management processes, it appears that the\nincremental approach provides the greatest likelihood for implementation success.\nFurther, linking that approach to the ongoing implementation of the Strategic Plan also\nappears to be the most logical approach to start the implementation of an ERM\nframework.\n\n\n\n\nCompliant (OIG Audit Report 109-2010, September 29, 2011).\n8\n  Embracing Enterprise Risk Management, Practical Approaches for Getting Started, COSO, January 2011.\n\x0c                                                                                            13\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nIncremental Approach Is a Recommended Best Practice\nOrganizations have achieved ERM successes by taking an incremental, step-by-step\napproach to enhancing their risk management capabilities to provide a more enterprise-\nwide view over time, rather than undertaking one massive launch effort. They start\nwith a simple process and build from there using incremental steps rather than trying to\nmake a quantum leap to fully implement a complete ERM process. The COSO thought\npaper and our audit work also identified the following strategies for starting an ERM\nprogram:\n\nBoard and Senior Management Leadership, Involvement, and Oversight. Support from the\nBoard of Directors and senior management is needed to get the right focus, resources,\nand attention for ERM. Directors need to demonstrate clear support for the initiative as\nwell as overseeing what management has designed and implemented to manage top\nrisk exposure. The Board and senior management set the tone for the organization\xe2\x80\x99s risk\nculture. Their involvement, leadership, and oversight are essential for ERM.\n\nA Strong Leader to Drive the ERM Initiative. Finding a leader to head the initial ERM\nproject is critical for success. Management should identify a leader with the right\nattributes to head this undertaking, such as having a broad knowledge of the business\nand its core strategies, strong relationships with directors and executive management,\nstrong communication and facilitation skills, knowledge of the organization\xe2\x80\x99s risks, and\nbroad acceptance and credibility across the organization. This leader will not\nnecessarily be the person to head ERM in the long term, but the person to get the\ninitiative started and to take responsibility for moving the organization\xe2\x80\x99s ERM initiative\nto the next level. The Board should be comfortable that management has put in place an\neffective ERM leader who is widely respected across the organization and who has\naccepted responsibility for overall ERM leadership.\n\nBuild on Existing Risk Management Activities. Amtrak has some informal risk\nmanagement activities in place and can leverage and enhance these activities to move\ntoward a more complete ERM program. For example, senior leaders use informal\nprocesses to identify risks. Amtrak\xe2\x80\x99s risk identification process could be improved by\nadding structure to this process to ensure that all risks have been identified, including\nemerging risks. The next steps in the process would include prioritizing the risks for\nprobability and consequence, ensuring that appropriate mitigating processes are in\n\x0c                                                                                            14\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nplace to manage them, regularly reviewing the effectiveness of the management of the\nrisks, and periodically reporting to the CEO and the Board on risk management.\n\nLeverage Existing Resources. Many organizations have successfully entered the ERM\narena by leveraging their existing risk management resources. Organizations often\ndiscover that they have the personnel on their existing staffs with the knowledge and\ncapabilities relating to risks and risk management that can be effectively used as a start.\nFor example, some organizations have appointed a management committee, sometimes\nheaded by their Chief Financial Officer, to bring together a wide array of personnel\nfrom across the entity that collectively have sufficient knowledge of the organization\xe2\x80\x99s\ncore business model and related risks and risk management practices to get ERM\nmoving. Outside expert support can also be a useful way to leverage existing resources.\n\nContinuing ERM Implementation. Given the evolutionary nature of ERM and the\ndynamic nature of risk, the process must be ongoing and not viewed as a one-time\nevent. The initial risk assessment process will need periodic updating, and Amtrak will\nneed to be attuned to the need to identify new, emerging risks. In addition, risk\nmitigation activities, which generally consist of improving business processes and\ncontrols, are an ongoing effort. Once the initial ERM process is operationalized, Amtrak\nshould look for additional ways to expand implementation across the organization.\nAmtrak\xe2\x80\x99s risk management leaders need to continue to drive further development and\nmaturity of the risk management processes.\n\nBased on our analysis of Amtrak\xe2\x80\x99s risk management activities and the ERM process, we\nbelieve that an incremental approach to establishing an ERM process best fits Amtrak,\ngiven the company\xe2\x80\x99s current risk identification practices and weak internal control\nenvironment. Further, based on our judgment, together with input from Amtrak\xe2\x80\x99s\nsenior executives, we believe that applying the ERM principles to Goal 5 of the Strategic\nPlan would be advantageous. Goal 5 of the plan states:\n\n     Goal 5\xe2\x80\x94Financial and Organizational Excellence: Attain a standard of\n     organizational excellence by aligning our products, services, processes, and culture\n     with stakeholder expectations to improve financial performance and overall business\n     results.\n\x0c                                                                                                 15\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nWhile we recognize the importance of the other strategic goals, we believe that attaining\nfinancial and organizational excellence has three key advantages as a starting point for\nimplementing an ERM framework. Specifically:\n\n\xe2\x80\xa2   First, the goal relates to the entire organization and therefore would introduce and\n    apply the ERM framework Amtrak-wide. This is a significant step that would help\n    lay the foundation for broader implementation of the ERM framework over time.\n\n\xe2\x80\xa2   Second, the goal addresses financial performance and overall business results. These\n    are key areas that are at the heart of what an ERM framework is designed to help a\n    company achieve. Further, improvements in these areas link directly to the overall\n    goals of the Passenger Rail Investment and Improvement Act of 2008. To the extent\n    that ERM is successful in helping to achieve this strategic goal, it would also help to\n    achieve the act\xe2\x80\x99s goal of making Amtrak less dependent on federal subsidies.\n\n\xe2\x80\xa2   Third, as previously discussed, Amtrak has weaknesses in its business processes and\n    internal controls. Focusing on Goal 5 will result in an in-depth analysis of financial\n    and operational controls with the objective of ensuring that they effectively and\n    efficiently support improved business processes and financial performance.\n\nIt is also important to note that while implementation will largely be carried out by the\ncompany\xe2\x80\x99s management team, the Board of Directors, given its fiduciary responsibility\nto represent stakeholders, plays a critical role in ERM as presented by COSO:\n\n       \xe2\x80\x9cAn entity\xe2\x80\x99s board of directors plays a critical role in overseeing an enterprise-\n       wide approach to risk management. Because management is accountable to the\n       board of directors, the board\xe2\x80\x99s focus on effective oversight is critical to setting the\n       tone and culture towards effective risk management through strategy setting,\n       formulating high level objectives, and approving broad-based resource\n       allocations.\xe2\x80\x9d\n\nCurrently, because the company has not established a disciplined risk management\nprocess, the Board\xe2\x80\x99s ability to oversee risks is limited. Our meetings with Amtrak Board\nmembers disclosed that they were not sure whether they were aware of all major risks\nfacing Amtrak or the adequacy of the mitigation actions to address those risks. Many of\nthe members supported a more structured risk management process. Further, the\n\x0c                                                                                         16\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nBoard\xe2\x80\x99s ability to oversee risks was also limited because it was not operating with full\nBoard membership. With the addition of three new Board members since June 2010,\nAmtrak now has seven of nine members authorized by the Passenger Rail Investment\nand Improvement Act of 2008. As a result, the Board of Directors has been able to\nreconstitute two Board committees: the Audit and Finance Committee and the\nPersonnel Committee. With this added leadership, the Board has greater capacity to\nfulfill its governance responsibilities over Amtrak programs and operations. There are\nvarious ways a Board can choose to implement its leadership role, to include\n\n\xe2\x80\xa2   providing clear support for ERM to ensure that the right focus, resources, and\n    attention are applied;\n\xe2\x80\xa2   overseeing management\xe2\x80\x99s design and implementation of the ERM program;\n\xe2\x80\xa2   overseeing development of and participation in enterprise-wide strategy analysis;\n\xe2\x80\xa2   knowing the extent to which management has established an effective ERM\n    program; and\n\xe2\x80\xa2   understanding the most significant risks and whether management is responding\n    appropriately.\n\n\n\n\nCONCLUSIONS\nAmtrak can benefit in terms of improved service and cost effectiveness of operations by\nbetter managing risk. The company is to be commended for taking a proactive approach\nby committing to instituting a risk management process. Taking action shows a desire\nto focus on the costs and benefits of its risk management activities.\n\nThere is no one set model for starting an ERM program, but it is generally agreed that\nan incremental approach that is tailored to the organization\xe2\x80\x99s culture and capacity to\nabsorb change works best. Amtrak is working to realign the organization with its\nstrategic plan and at the same time recognizes that its business process control\nenvironment is weak. Consequently, linking its incremental implementation strategy\nwith one important strategic plan goal appears to be a logical approach that would\nenhance the likelihood of a successful implementation. Starting the ERM process with\nGoal 5 of the Strategic Plan introduces the ERM framework to the entire organization,\n\x0c                                                                                        17\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nfocuses the ERM process on areas of critical need, and adds assurance that financial and\norganizational internal controls are operating effectively and efficiently.\n\n\n\nRECOMMENDATIONS\nIn order to better and more systematically manage risk, we recommend that the Amtrak\nBoard of Directors and President and CEO take action to:\n\n1. In the long term, develop and implement an ERM process for the entire\n   organization, to include the Board of Directors, which is consistent with the COSO\n   framework.\n\n2. In the near term, using an incremental approach, develop and implement an ERM\n   process to include the Board of Directors that focuses on Goal 5 of the Amtrak\n   Strategic Plan, Financial and Organizational Excellence.\n\n\n\n\nMANAGEMENT COMMENTS AND OIG RESPONSE\nIn commenting on a draft of this report, Amtrak\xe2\x80\x99s Chairman, Board of Directors, and\nthe President and CEO stated that they plan to implement ERM. They indicated that\ndeveloping a formal ERM program is a complex undertaking and that this is an issue\nthe Board of Directors considers to be extremely important for Amtrak\xe2\x80\x99s future success.\nThey also commented that it is imperative that the Board discuss our recommendations\nwith an answer to the time, resources, and priority needed to make a commitment.\nThey added that, once the Board has had an opportunity to understand the\ncommitment this will take, guidance will be provided to management, and the\ncompany will provide to the OIG more detailed information about their plan to\nimplement ERM. Amtrak\xe2\x80\x99s complete comments appear as Appendix IV.\n\nWe believe the response by the Chairman and the President and CEO is consistent with\nthe intent of our recommendations and reflects the need to take an incremental\napproach to implementing an ERM program. We also agree with the approach being\ntaken by the Board of Directors to better understand the commitment this effort will\nrequire before taking its next steps. We look forward to receiving detailed information\n\x0c                                                                                18\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nabout Amtrak\xe2\x80\x99s plan to implement ERM. We will periodically follow up on the\ncompany\xe2\x80\x99s progress in implementing our recommendations and report separately at the\nappropriate time.\n\x0c                                                                                       19\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n                                      Appendix I\n\n                      SCOPE AND METHODOLOGY\n\nOur objectives were to (1) determine the extent to which Amtrak manages risks in a\ncorporate-wide systematic manner, and (2) identify risk management best practices in\npublic and private organizations and compare those to Amtrak\xe2\x80\x99s risk management\nactivities. We performed our audit work from May, 2011 through January 2012.\n\nWe interviewed eight Board members including Amtrak\xe2\x80\x99s President and CEO, 16\nsenior executives managing all aspects of Amtrak\xe2\x80\x99s operations and three management\nstaff to determine whether Amtrak manages risk in a corporate-wide, systematic\nmanner. We discussed with these senior executives the key risks faced by their\ndepartments, or Amtrak as a whole, and whether these risks are addressed on a\ncorporate-wide, systematic basis or documented in corporate policies. We also reviewed\nBoard of Directors\xe2\x80\x99 briefing documents and minutes of Board meetings to determine the\nextent to which risks are discussed with the Board.\n\nWe documented the extent to which Amtrak has implemented a risk management\nframework and processes, and compared Amtrak\xe2\x80\x99s framework and processes to the\nCommittee of Sponsoring Organizations of the Treadway Commission (COSO)\nframework. We reviewed best practices implemented by other organizations. We also\nanalyzed selected previous OIG reports to identify weaknesses in Amtrak\xe2\x80\x99s business\nprocesses and internal controls.\n\nIn addition to analyzing the COSO framework, we reviewed materials related to\nEnterprise Risk Management (ERM) from a number of sources, including the American\nInstitute of Certified Public Accountants, the Institute of Internal Auditors, and\nPricewaterhouseCoopers.\n\nTo identify industry best practices, we researched and identified both public and\nprivate organizations that have established an ERM process for identifying, assessing,\nand mitigating risks. We identified 12 public and private organizations that already\nhave or are in the process of establishing an ERM program and identified best practices\nthat could assist Amtrak in developing its own ERM program. These organizations\nincluded nine federal agencies, one freight railroad company, one port authority, and\n\x0c                                                                                         20\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\none state university. We also identified and analyzed publications, articles, or\ndocuments relating to risk management that may be useful to Amtrak Management in\nestablishing its Risk Management program. This search resulted in the identification of\n27 publications or articles on Risk Management. These publications and articles are\nlisted in Appendix III of this report.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\nInternal Controls\nOur audit reviewed the activities used by Amtrak management to identify and manage\nrisks. This included assessing Amtrak\xe2\x80\x99s risk identification, assessment, and mitigation\npractices, and management information used in Amtrak\xe2\x80\x99s risk management activities.\nWe did not assess or test these controls. We also relied on our prior audits to generally\ncomment on the overall condition of the Company\xe2\x80\x99s internal controls.\n\nComputer-Processed Data\nDue to the nature of the audit objectives and the audit methodology, we did not rely on\ncomputer processed data during the audit.\n\nPrior Coverage\nWe reviewed the following audit reports and used information from those reports in\nconducting our analysis of issues:\n\nAmtrak Invoice-Review: Inaccurate Invoices Were Paid, But Progress is Being Made to Improve\nthe Invoice-Review Process (OIG Report No. OIG-A-2012-005, February 16, 2012)\n\nOn-Time Performance Incentives: Inaccurate Invoices Were Paid Due to Weaknesses in\nAmtrak\xe2\x80\x99s Invoice-Review Process (OIG Audit Report No. OIG-A-2012-004, February 15,\n2012)\n\x0c                                                                                            21\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nAmericans with Disabilities Act: Leadership Needed to Help Ensure That Stations Served by\nAmtrak Are Compliant (OIG Audit Report No. 109-210, September 29, 2011)\n\nHuman Capital Management: Lack of Priority Has Slowed OIG-Recommended Actions to\nImprove Human Capital Management, Training, and Employee Development Practices (OIG\nReport No. E-11-04, July 8, 2011)\n\nFood and Beverage Service: Further Actions Needed to Address Revenue Losses Due to Control\nWeaknesses and Gaps (OIG Report No. E-11-03, June 23, 2011)\n\nOn-Time Performance Incentives: Inaccurate Invoices Were Paid Due to Long-standing\nWeaknesses in Amtrak\xe2\x80\x99s Invoice-Review Process (OIG Audit Report No. 403-2010, April 21,\n2011)\n\nBNSF On-Time Performance Incentives: Inaccurate Invoices and Lack of Amtrak Management\nReview Lead to Overpayments (OIG Audit Report No. 407-2003, September 24, 2010)\n\nHuman Capital Management (OIG Report E-09-03, May 15, 2009)\n\nAmtrak Management: Systemic Problems Require Actions to Improve Efficiency, Effectiveness,\nand Accountability (GAO-06-145, October 4, 2005) [Government Accountability Office]\n\x0c                                                                                                22\n                            Amtrak Office of Inspector General\n       Amtrak Corporate Governance: Implementing a Risk Management Framework\n                   is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                       Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n                                              Appendix II\n\n      KEY PRINCIPLES OF ENTERPRISE RISK MANAGEMENT\n        COMPONENTS AND INDUSTRY BEST PRACTICES\n\nThis appendix presents key principles inherent in the eight ERM components that were\nincluded in the Committee of Sponsoring Organizations\xe2\x80\x99 (COSO) publication Enterprise\nRisk Management\xe2\x80\x94Integrated Framework, and industry best practices we identified\nduring our audit.\n\nComponent 1: Internal Environment\n  Risk Management Philosophy\n\n  \xe2\x80\xa2   The entity's risk management philosophy represents the shared beliefs and\n      attitudes characterizing how the entity considers risk in all activities.\n\n                                                        \xe2\x80\xa2    It reflects the entity\xe2\x80\x99s values,\nInternal Environment Best Practices                   influencing its culture and operating\n                                                      style.\n\xef\x83\xbc The Board of Directors and senior management\n  set the tone for the organization\xe2\x80\x99s risk culture;\n  establish a risk-related committee at the board\n                                                        \xe2\x80\xa2    It affects how enterprise risk\n  level.                                              management components are applied,\n                                                      including how events are identified, the\n\xef\x83\xbc Produce a strategy statement that clarifies risk\n                                                      kinds of risks accepted, and how they are\n  appetite, risk ownership, and the strategy to be\n                                                      managed.\n  used to identify and assess key risks.\n\xef\x83\xbc Create a new executive role, such as a Chief Risk     \xe2\x80\xa2     It is well developed, understood,\n  Officer and Risk Office, with the responsibility\n                                                      and embraced by the entity's personnel.\n  across the entire organization for risk\n                                                      It is captured in policy statements, oral\n  management.\n                                                      and written communications, and\n                                                      decision- making.\n\x0c                                                                                        23\n                         Amtrak Office of Inspector General\n    Amtrak Corporate Governance: Implementing a Risk Management Framework\n                is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                    Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\xe2\x80\xa2   Management reinforces the philosophy not only with words but also with\n    everyday actions.\n\nRisk Appetite\n\n\xe2\x80\xa2   The entity's risk appetite reflects the entity's risk management philosophy and\n    influences the culture and operating style.\n\n\xe2\x80\xa2   It is considered in strategy-setting, with strategy aligned with risk appetite.\n\n\nBoard of Directors\n\n\xe2\x80\xa2   The Board is active and possesses an appropriate degree of management,\n    technical, and other expertise, coupled with the mindset necessary to perform its\n    oversight responsibilities.\n\n\xe2\x80\xa2   It is prepared to question and scrutinize management's activities, present\n    alternative views, and act in the face of wrongdoing.\n\n\xe2\x80\xa2   It has at least a majority of independent outside directors.\n\n\xe2\x80\xa2   It provides oversight to enterprise risk management and is aware of and concurs\n    with the entity's risk appetite.\n\n\nIntegrity and Ethical Values\n\n\xe2\x80\xa2   The entity's standards of behavior reflect integrity and ethical values.\n\n\xe2\x80\xa2   Ethical values not only are communicated but also accompanied by explicit\n    guidance regarding what is right and wrong.\n\n\xe2\x80\xa2   Integrity and ethical values are communicated through a formal code of conduct.\n\n\xe2\x80\xa2   Upward communications channels exist where employees feel comfortable\n    bringing relevant information.\n\x0c                                                                                      24\n                         Amtrak Office of Inspector General\n    Amtrak Corporate Governance: Implementing a Risk Management Framework\n                is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                    Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n\xe2\x80\xa2   Penalties are applied to employees who violate the code of conduct, mechanisms\n    encourage employee reporting of suspected violations, and disciplinary actions are\n    taken against employees who knowingly fail to report violations.\n\n\xe2\x80\xa2   Integrity and ethical values are communicated through management actions and\n    the examples they set.\n\n\nCommitment to Competence\n\n\xe2\x80\xa2   Competence of the entity's people reflects the knowledge and skills needed to\n    perform assigned tasks.\n\n\xe2\x80\xa2   Management aligns competence and cost.\n\n\nOrganizational Structure\n\n\xe2\x80\xa2   The organizational structure defines key areas of responsibility and authority.\n\n\xe2\x80\xa2   It establishes lines of reporting.\n\n\xe2\x80\xa2   It is developed in consideration of the entity's size and nature of activities.\n\n\xe2\x80\xa2   It enables effective enterprise risk management.\n\n\nAssignment of Authority and Responsibility\n\n\xe2\x80\xa2   Assignment of authority and responsibility establishes the degree to which\n    individuals and teams are authorized and encouraged to use initiative to address\n    issues and solve problems, and provides limits to authority.\n\n\xe2\x80\xa2   The assignments establish reporting relationships and authorization protocols.\n\x0c                                                                                                25\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n \xe2\x80\xa2   Policies describe appropriate business practices, knowledge, and experience of key\n     personnel, and associated resources.\n\n \xe2\x80\xa2   Individuals know how their actions interrelate and contribute to achievement of\n     objectives.\n\n Human Resource Standards\n\n \xe2\x80\xa2   Standards address hiring, orientation, training, evaluating, counseling, promoting,\n     compensation, and remedial actions, driving expected levels of integrity, ethical\n     behavior, and competence.\n\n \xe2\x80\xa2   Disciplinary actions send the message that violations of expected behavior will not\n     be tolerated.\n\n\n\nComponent 2: Objective Setting\n Strategic Objectives\n\n \xe2\x80\xa2   The entity's strategic objectives establish high-level goals that align with and\n     support its mission and vision.\n                                                         \xe2\x80\xa2    They reflect management's\nObjective Setting Best Practices                       strategic choices as to how the entity\n                                                       will seek to create value for its\n\xef\x83\xbc Link the ERM process to a company\xe2\x80\x99s strategic\n                                                       stakeholders.\n  planning process. Use the objectives in the\n  strategic plan as a basis for risk identification,\n  risk assessment, and risk mitigation activities        \xe2\x80\xa2    Management identifies risks\n  associated with the strategic plan.                  associated with strategy choices and\n                                                       considers their implications.\n\xef\x83\xbc Include risk management in the strategic plan.\n\x0c                                                                                           26\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nRelated Objectives\n\n\xe2\x80\xa2    Related objectives support and are aligned with selected strategy, relative to all\n     entity activities.\n\n\xe2\x80\xa2    Each level of objectives is linked to more specific objectives that cascade through\n     the organization.\n\n\xe2\x80\xa2    The objectives are readily understood and measurable.\n\n\xe2\x80\xa2 They align with risk appetite.\nSelected Objectives\n\n\xe2\x80\xa2    Management has a process that aligns strategic objectives with the entity's mission\n     and ensures the strategic and related objectives are consistent with the entity's risk\n     appetite.\n\nRisk Appetite\n\n\xe2\x80\xa2    The entity's risk appetite is a guidepost in strategy-setting.\n\n\xe2\x80\xa2    It guides resource allocation.\n\n\xe2\x80\xa2    It aligns organization, people, processes, and infrastructure.\n\n\nRisk Tolerances\n\n\xe2\x80\xa2    Risk tolerances are measurable, preferably in the same units as the related\n     objectives.\n\n    \xe2\x80\xa2 They align with risk appetite.\n\x0c                                                                                                 27\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\nComponent 3: Risk/Event Identification\n                                                               Events\nRisk Identification Best Practices\n                                                             \xe2\x80\xa2 Management identifies\n\xef\x83\xbc Use a combination of a top down and bottom up           potential events affecting strategy\n  approach to identify risks.                             implementation or achievement of\n\xef\x83\xbc Once the risks are identified, conduct an executive     objectives that may have positive or\n  workshop designed to further understand,                negative impacts.\n  evaluate, and prioritize the core business risks in\n  the context of the achievement of the strategic             \xe2\x80\xa2 Even events with a relatively\n  plan. Create a risk inventory of all risks facing the   low possibility of occurrence are\n  organization, including, strategic, financial,          considered if the impact on achieving\n  operational, and regulatory threats.                    an important objective is great.\n\xef\x83\xbc Focus on a small number of top risks.\n\n\n Influencing Factors\n\n \xe2\x80\xa2   Management recognizes the importance of understanding external and internal\n     factors and the type of events that can emanate therefrom.\n\n \xe2\x80\xa2   Events are identified both at the entity and activity levels.\n\n\n Event Identification Techniques\n\n \xe2\x80\xa2   Techniques look to both the past and future.\n\n \xe2\x80\xa2   Management selects techniques that fit its risk management philosophy and\n     ensure the entity develops needed event-identification capabilities.\n\n \xe2\x80\xa2   Event identification is robust, forming a basis for risk assessment and risk response\n     components.\n\x0c                                                                                         28\n                               Amtrak Office of Inspector General\n          Amtrak Corporate Governance: Implementing a Risk Management Framework\n                      is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                          Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n  Interdependencies\n\n  \xe2\x80\xa2       Management understands how events relate to one another.\n\n\n  Distinguishing Risks and Opportunities\n\n  \xe2\x80\xa2       Events with negative impact represent risks, which management assesses and\n          responds to.\n\n  \xe2\x80\xa2       Events representing opportunities are channeled back to management's strategy or\n          objective-setting processes.\n\n\n\n\nComponent 4: Risk Assessment\n                                                    \xe2\x80\xa2 In assessing risk, management\nRisk Assessment Best Practices                   considers expected and unexpected events.\n\n\n\xef\x83\xbc Perform an in-depth, prioritized analysis of   Inherent and Residual Risk\n  the top three to five risks.\n                                                     \xe2\x80\xa2 Management considers inherent\n\xef\x83\xbc Develop a disciplined approach to\n  documenting, evaluating, and\n                                                 risks.\n  communicating risk mitigation.\n                                                    \xe2\x80\xa2 Once risk responses have been\n\xef\x83\xbc Develop standardized risk management tools\n                                                 developed, management considers inherent\n  for assessing risk.\n                                                 and residual risks.\n\n\n  Estimating Likelihood and Impact\n\n      \xe2\x80\xa2    Potential events are evaluated from two perspectives\xe2\x80\x94likelihood and impact.\n\n      \xe2\x80\xa2    In assessing impact, management normally uses the same, or congruent, unit of\n           measure as used for the objective.\n\x0c                                                                                              29\n                                 Amtrak Office of Inspector General\n            Amtrak Corporate Governance: Implementing a Risk Management Framework\n                        is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                            Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n        \xe2\x80\xa2   The time horizon used to assess risks should be consistent with the time horizon\n            of the related strategy and objectives.\n\n\n      Assessment Techniques\n\n        \xe2\x80\xa2   Management uses a combination of qualitative and quantitative techniques.\n\n        \xe2\x80\xa2   The techniques support development of a composite assessment of risk.\n\n\n      Relationships between Events\n\n        \xe2\x80\xa2   Where correlation exists between events, or events combine and interact,\n            management assesses them together.\n\n\n\n    Component 5: Risk Response\n\n                                            \xe2\x80\xa2 In responding to risk, management considers\nRisk Response Best Practices             among risk avoidance, reduction, sharing, and\n                                         acceptance.\n\xef\x83\xbc Develop tools, such as a matrix, to\n  assess risk.\n                                         Evaluating Possible Responses\n\xef\x83\xbc Develop standardized risk\n  management tools for assessing risk.      \xe2\x80\xa2   Responses are evaluated with the intent of\n                                         achieving residual risk aligned with the entity's risk\n                                         tolerances.\n\n        \xe2\x80\xa2   In evaluating risk responses, management considers their effects on likelihood\n            and impact.\n\n        \xe2\x80\xa2   Management considers their costs versus benefits, as well as new opportunities.\n\x0c                                                                                               30\n                            Amtrak Office of Inspector General\n       Amtrak Corporate Governance: Implementing a Risk Management Framework\n                   is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                       Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n Selected Responses\n\n   \xe2\x80\xa2   Responses chosen by management are designed to bring anticipated risk\n       likelihood and impact within risk tolerances.\n\n   \xe2\x80\xa2   Management considers additional risks that might result from a response.\n\n\n Portfolio View\n\n   \xe2\x80\xa2   Management considers risk from an entity-wide, or portfolio, perspective.\n\n   \xe2\x80\xa2   Management determines whether the entity's residual risk profile is\n       commensurate with its overall risk appetite.\n\n\n\nComponent 6: Control Activities\n Integration with Risk Response\n\n   \xe2\x80\xa2   Management identifies control activities needed to help ensure that risk\n       responses are carried out properly and in a timely manner.\n\nControl Activities Best Practices                     \xe2\x80\xa2 Selection or review of control\n\xef\x83\xbc For each high-priority risk, the executive      activities includes consideration of their\n    management team should identify the risk      relevance and appropriateness to the risk\n    owners that will be accountable to identify   response and related objective.\n    current processes and controls in place, as\n    well as planned initiatives. The team\n                                                    \xe2\x80\xa2 In selecting control activities,\n    should develop additional initiatives that\n                                                  management considers how they interrelate.\n    are needed to close any gaps.\n\n\n\n Types of Control Activities\n\n   \xe2\x80\xa2   Management selects from a variety of types of control activities, including\n       preventive, detective, manual, computer, and management controls.\n\x0c                                                                                            31\n                             Amtrak Office of Inspector General\n        Amtrak Corporate Governance: Implementing a Risk Management Framework\n                    is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                        Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n  Policies and Procedures\n\n    \xe2\x80\xa2   Policies are implemented thoughtfully, conscientiously, and consistently.\n\n    \xe2\x80\xa2   Procedures are carried out with sharp, continuing focus on conditions to which\n        the policy is directed.\n\n    \xe2\x80\xa2   Conditions identified as a result of the procedure are investigated and\n        appropriate corrective actions taken.\n\n\n  Controls over Information Systems\n\n    \xe2\x80\xa2   Appropriate general and application controls are implemented.\n\n\n\n\nComponent 7: Information and Communication\n\n                                                 Information\nInformation and Communication Best\nPractices                                           \xe2\x80\xa2 Relevant information is obtained\n                                                 from internal and external sources.\n\xef\x83\xbc Communicate openly for risk management to\n  succeed.\n                                                     \xe2\x80\xa2 The entity captures and uses\n\xef\x83\xbc The Board of Directors and senior\n                                                 historical and present data as needed to\n  management need to send a message to all\n                                                 support effective enterprise risk\n  parties about the importance of managing\n  risk.\n                                                 management.\n\n\xef\x83\xbc Develop communication plans to address\n                                                    \xe2\x80\xa2 The information infrastructure\n  issues relating to risks and the risk-\n                                                 converts raw data into relevant information\n  management process.\n                                                 that assists personnel in carrying out their\n\xef\x83\xbc Talk substantively about risk at every Board   enterprise risk management and other\n  meeting.                                       responsibilities; information is provided at a\n                                                 depth and in a form and time frame that are\n\x0c                                                                                       32\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n     actionable, readily usable, and linked to defined accountabilities\xe2\x80\x94including the\n     need to identify, assess, and respond to risk.\n\n \xe2\x80\xa2   Source data and information are reliable and provided on time at the right place\n     to enable effective decision-making.\n\n \xe2\x80\xa2   Timeliness of information flow is consistent with the rate of change in the entity's\n     internal and external environments.\n\n \xe2\x80\xa2   Information systems change as needed to support new objectives.\n\n\n\nCommunication\n\n \xe2\x80\xa2   Management provides specific and directed communication addressing\n     behavioral expectations and responsibilities of personnel, including a clear\n     statement of the entity's risk management philosophy and approach and clear\n     delegation of authority.\n\n \xe2\x80\xa2   Communication about processes and procedures aligns with, and underpins, the\n     desired culture.\n\n \xe2\x80\xa2   All personnel receive a clear message from top management that enterprise risk\n     management must be taken seriously.\n\n \xe2\x80\xa2   Personnel know how their activities relate to the work of others, enabling them\n     to recognize problems, determine cause, and take corrective action.\n\n \xe2\x80\xa2   Personnel know what is deemed acceptable and unacceptable behavior.\n\n \xe2\x80\xa2   There are open channels of communication and a willingness to listen, and\n     personnel believe their superiors truly want to know about problems and will\n     deal with them effectively.\n\x0c                                                                                             33\n                             Amtrak Office of Inspector General\n        Amtrak Corporate Governance: Implementing a Risk Management Framework\n                    is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                        Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n    \xe2\x80\xa2   Communications channels outside normal reporting lines exist, and personnel\n        understand there will be no reprisals for reporting relevant information.\n\n    \xe2\x80\xa2   An open communications channel exists between top management and the\n        Board of Directors, with appropriate information communicated on a timely\n        basis.\n\n    \xe2\x80\xa2   Open external communications channels exist, where customers and suppliers\n        can provide significant input.\n\n    \xe2\x80\xa2   The entity communicates relevant information to regulators, financial analysts,\n        and other external parties.\n\n\n\nComponent 8: Monitoring\n                                                   \xe2\x80\xa2 Management determines, through\nMonitoring Best Practices                       ongoing monitoring activities or separate\n                                                evaluations, or a combination, whether the\n\xef\x83\xbc Have senior management, which comprises       functioning of enterprise risk management\n  the Risk Oversight Committee, meet monthly\n                                                continues to be effective.\n  to review reports from various risk areas\n  across the company.\n\xef\x83\xbc Include regular progress reports and\n                                                Ongoing Monitoring Activities\n  comparisons to previous risk assessments so\n  changes and refinements can be made.             \xe2\x80\xa2 Monitoring activities are built into\n                                                the entity's normal, recurring operations,\n                                                performed in the ordinary course of\n                                                running the business.\n\n    \xe2\x80\xa2   They are performed on a real-time basis and react dynamically to changing\n        conditions.\n\x0c                                                                                        34\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nSeparate Evaluations\n\n \xe2\x80\xa2   Separate evaluations focus directly on enterprise risk management effectiveness\n     and provide an opportunity to consider the continued effectiveness of the\n     ongoing monitoring activities.\n\n \xe2\x80\xa2   The evaluator understands each of the entity activities and each enterprise risk\n     management component being addressed.\n\n \xe2\x80\xa2   The evaluator analyzes enterprise risk management design, and the results of\n     tests performed, against the backdrop of management's established standards,\n     determining whether enterprise risk management provides reasonable assurance\n     with respect to the stated objectives.\n\nReporting Deficiencies\n\n \xe2\x80\xa2   Deficiencies reported from both internal and external sources are carefully\n     considered for their implications for enterprise risk management, and\n     appropriate corrective actions are taken.\n\n \xe2\x80\xa2   All identified deficiencies that affect the entity's ability to develop and\n     implement its strategy and to achieve its established objectives are reported to\n     those positioned to take necessary action.\n\n \xe2\x80\xa2   Not only are reported transactions or events investigated and corrected, but\n     potentially faulty underlying procedures also are reevaluated.\n\n \xe2\x80\xa2   Protocols are established to identify what information is needed at a particular\n     level for effective decision-making.\n\x0c                                                                                          35\n                            Amtrak Office of Inspector General\n       Amtrak Corporate Governance: Implementing a Risk Management Framework\n                   is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                       Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n                                          Appendix III\n\n             ENTERPRISE RISK MANAGEMENT RESOURSES\n\nWeb sites\n The Risk and Insurance Management              www.rims.org\n Society\n Committee of Sponsoring Organizations of       http://coso.org/\n the Treadway Commission (COSO)\n PricewaterhouseCoopers                         http://www.pwc.com/us/en/thought-\n                                                leadership/risk.jhtml\n American Institute of Certified Public         http://www.aicpa.org/_catalogs/masterpage/Se\n Accountants (AICPA)                            arch.aspx?S=risk+management\n Institute of Internal Auditors (IIA)           http://www.theiia.org/guidance/standards-and-\n                                                guidance/ippf/practice-guides/\n Protiviti                                      http://www.protiviti.com/en-\n                                                US/Pages/default.aspx\n KPMG                                           http://www.kpmg.com/us/en/pages/default.asp\n                                                x\n University of California                       http://www.ucop.edu/riskmgt/erm/dashboard.\n                                                html\n National Oceanic and Atmospheric               http:www.NOAA.gov\n Administration\n British Columbia\xe2\x80\x94Ministry of Finance           http:www.gov.bc.ca/fin\n\n\n\nPublications\n Enterprise Risk Management\xe2\x80\x94Integrated          COSO\n Framework (Executive Summary)\n Enterprise Risk Management\xe2\x80\x94Integrated          COSO\n Framework (Application Techniques)\n Strengthening Enterprise Risk Management       COSO\n for Strategic Advantage\n\x0c                                                                              36\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nEmbracing Enterprise Risk management,         COSO\nPractical Approaches for Getting Started\n\nRisk Assessment for Mid-Sized Companies       AICPA\nA Unified Approach to Risk Management         AICPA\nEffective Enterprise Risk Management          AICPA\nStarts With A Conversation\nAdding Value, Not Bureaucracy: Linking        AICPA\nGovernance, Enterprise Risk Management,\nand Internal Controls\nBoard and Audit Committee Involvement in      AICPA\nRisk Management Oversight\nSeven Steps Toward a Proactive, Value-        AICPA\nAdded Enterprise Risk Management\nProgram\nIPPF Practice Guide: Assessing the Adequacy   IIA\nof Risk Management\n\nAssessing the Adequacy of Risk                IIA\nManagement\nImproving Board Risk Oversight Through        IIA Research Foundation\nBest Practices\nEnterprise Risk Management: Trends and        IIA Research Foundation\nEmerging Practices\nGlobal Best Practices                         PricewaterhouseCoopers\nBusiness risk model                           PricewaterhouseCoopers\nTen Common Risk Management Failures           Protiviti\nand How to Avoid Them\nRisk Management: A Look Back and a Look       Protiviti\nForward\nProfiles of Companies Building Effective      Protiviti\nERM Programs\n\x0c                                                                                       37\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\nEnterprise risk oversight                    Chartered Institute of Management\n                                             Accountants and AICPA research series\n                                             September 2010\n\nImplementing Enterprise-wide Risk            Trent Derr, Syntex Management Systems, Inc.\nReduction Across Operational and Financial\nProcesses\nManaging Risk in Government: An              Dr. Karen Hardy\nIntroduction to Enterprise Risk\nManagement\nA Board Perspective on Enterprise Risk       McKinsey & Company\nManagement\nRisk Management Best Practices               Microsoft Corp.\nNavigating Unchartered Waters\xe2\x80\x94Best           GRC Daily\nPractices for Managing Risks Across the\nEnterprise\nBest Practices in Risk Management: Private   Treasury Board of Canada\nand Public Sectors Internationally\nImplementing an Enterprise Risk              Lexis/Nexis\nManagement Evaluation\nOverview of Enterprise Risk Management       Casualty Actuarial Society\n\x0c                                                                        38\n                     Amtrak Office of Inspector General\nAmtrak Corporate Governance: Implementing a Risk Management Framework\n            is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n                            Appendix IV\n\n COMMENTS FROM THE CHAIRMAN OF AMTRAK\xe2\x80\x99S\n        BOARD OF DIRECTORS AND\n      AMTRAK\xe2\x80\x99S PRESIDENT AND CEO\n\x0c                                                                               39\n                           Amtrak Office of Inspector General\n      Amtrak Corporate Governance: Implementing a Risk Management Framework\n                  is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                      Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n                                      Appendix V\n\n                              ABBREVIATIONS\n\nADA         Americans with Disabilities Act\n\nAICPA       American Institute of Certified Public Accountants\n\nCEO         Chief Executive Officer\n\nCOSO        Committee of Sponsoring Organizations of the Treadway Commission\n\nERM         Enterprise Risk Management\n\nIIA         Institute of Internal Auditors\n\nIT          Information Technology\n\nOIG         Office of Inspector General\n\x0c                                                                             40\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n                                     Appendix VI\n\n                            OIG TEAM MEMBERS\n\nDavid R. Warren, Assistant Inspector General, Audits\n\nEdward Stulginsky, Senior Director\n\nJoseph Zammarella, Audit Manager\n\nJohn Borelli, Consultant\n\nWilliam Dolan, Consultant\n\nJohn Kalmar, Consultant\n\nKenneth Knouse, Consultant\n\x0c                                                                                      41\n                          Amtrak Office of Inspector General\n     Amtrak Corporate Governance: Implementing a Risk Management Framework\n                 is Essential to Achieving Amtrak\xe2\x80\x99s Strategic Goals\n                     Report No. OIG-A-2012-007, March 30, 2012\n\n\n\n\n           OIG MISSION AND CONTACT INFORMATION\nAmtrak OIG\xe2\x80\x99s Mission         Amtrak OIG\xe2\x80\x99s mission is to\n                             \xe2\x80\xa2 conduct and supervise independent and objective\n                               audits, inspections, evaluations, and investigations\n                               relating to Amtrak programs and operations;\n                             \xe2\x80\xa2 promote economy, effectiveness, and efficiency within\n                               Amtrak;\n                             \xe2\x80\xa2 prevent and detect fraud, waste, and abuse in Amtrak's\n                               programs and operations;\n                             \xe2\x80\xa2 review security and safety policies and programs; and\n                             \xe2\x80\xa2 review and make recommendations regarding existing\n                               and proposed legislation and regulations relating to\n                               Amtrak's programs and operations.\n\nObtaining Copies of OIG Available at our website: www.amtrakoig.gov.\nReports and Testimony\n\nTo Report Fraud, Waste, Report suspicious or illegal activities to the OIG Hotline\nand Abuse               (you can remain anonymous):\n\n                             Web:      www.amtrakoig.gov/hotline\n                             Phone:    800-468-5469\n\nCongressional and            E. Bret Coulson, Senior Director\nPublic Affairs               Congressional and Public Affairs\n                             Mail:     Amtrak OIG\n                                       10 G Street, N.E., 3W-300\n                                       Washington, DC 20002\n                             Phone:    202-906-4134\n                             Email:    bret.coulson@amtrakoig.gov\n\x0c"